1 ------------------------------------------------------------------------------
\r
5 ################################################
\r
7 # HOW TO COVER YOUR TRACKS #
\r
9 ################################################
\r
13 PART ONE : THEORY & BACKGROUND
\r
30 ----------------------------------------------------------------------
\r
32 Please excuse my poor english - I'm german so it's not my mother
\r
33 language I'm writing in. Anyway if your english is far better than
\r
34 mine, then don't think this text hasn't got anything to offer you.
\r
35 In contrast. Ignore the spelling errors & syntax - the contents
\r
36 of this document is important ...
\r
38 NOTE : This text is splitted into TWO parts.
\r
39 The first one, this, teachs about the background and theory.
\r
40 The second just shows the basics by an easy step-by-step
\r
41 procedure what to type and what to avoid.
\r
42 If you are too lazy to read this whole stuff here (sucker!)
\r
43 then read that one. It's main targets are novice unix hackers.
\r
45 If you think, getting the newest exploits fast is the most important
\r
46 thing you must think about and keep your eyes on - you are wrong.
\r
47 How does the best exploit helps you once the police has seized your
\r
48 computer, all your accounts closed and everything monitored?
\r
49 Not to mention the warrants etc.
\r
50 No, the most important thing is not to get caught.
\r
51 It is the FIRST thing every hacker should learn, because on many
\r
52 occasions, especially if you make your first hacks at a site which
\r
53 is security conscious because of many break-ins, your first hack can
\r
54 be your last one (even if all that lays back a year ago "they" may
\r
55 come up with that!), or you are too lazy to change your habits
\r
56 later in your career.
\r
57 So read through these sections carefully!
\r
58 Even a very skilled hacker can learn a bit or byte here.
\r
60 So this is what you find here:
\r
61 Section I - you are reading me, the introduction
\r
62 Section II - the mental things and how to become paranoid
\r
64 2. Why you must become paranoid
\r
65 3. How to become paranoid
\r
67 Section III - the basics you should know BEFORE begin hacking
\r
72 5. Don't leave a trace
\r
73 6. Things you should avoid
\r
74 Section IV - the advanced techniques you should take a notice of
\r
76 2. Prevent Tracing of any kind
\r
77 3. Find and manipulate any log files
\r
78 4. Check the syslog configuration and logfile
\r
79 5. Check for installed security programs
\r
80 6. Check the admins
\r
81 7. How to "correct" checksum checking software
\r
82 8. User Security Tricks
\r
84 Section V - what to do once you are under suspect
\r
85 Section VI - the does and dont's when you got caught
\r
86 Section VII - a short listing of the best programs for hiding
\r
87 Section VIII- last words, the common bullshit writers wanna say
\r
89 So read carefully and enlighten yourself.
\r
97 ----------------------------------------------------------------------
\r
99 CONTENTS: 1. Motivation
\r
100 2. Why you must become paranoid
\r
101 3. How to become paranoid
\r
106 The mental aspect is the key to be successful in anything.
\r
108 It's the power to motivate yourself, fight on if it hurts,
\r
109 being selfdisciplined, paranoid & realistic, calculate risks
\r
110 correctly and do stuff you don't like but are important even
\r
111 if you'd like to go swimming now.
\r
113 If you can't motivate yourself to program important tools,
\r
114 wait for the crucial time to hit the target, then you'll never
\r
115 get anywhere with your "hacks"
\r
117 A successful and good hacker must meet these mental requirements.
\r
118 It's like doing bodybuilding or a diet - you can learn it
\r
121 EVEN THE BEST KNOWLEDGE WON'T HELP YOU UNTIL YOU ARE REALLY
\r
122 CONCERNED TO DO THE PREVENTIONS AND ACTUAL MAKE THEM !
\r
125 * 2. WHY YOU MUST BECOME PARANOID *
\r
126 It's right that normally being paranoid is not something which
\r
127 makes your life happier.
\r
128 However if you aren't expecting the worst, anything can hit you and
\r
129 throw you off balance. And you are risking very much with your doings.
\r
130 In your normal life you don't need to worry much about cops, thieves
\r
131 and therelike. But if you are on the other side remember that you make
\r
132 other people a hard life and bring them nightmares plus work - and
\r
133 they want to stop you.
\r
134 Even if you don't feel like committing a crime - you actually do.
\r
135 Hacker-Witchhunting pops up fast and gets everyone who might be involved.
\r
136 It's the sad thing : YOU ARE GUILTY UNTIL PROVEN OTHERWISE !
\r
137 Once you've got the stigma being a hacker you'll never get it off.
\r
138 Once having an entry in your police record it's very hard to find a job.
\r
139 Especially no software company, even no computer related company will
\r
140 ever hire you, they will be afraid of your skills, and you will see
\r
141 yourself being forced to emmigrate or your life lost.
\r
142 Once you fall down only a few can get up again.
\r
146 Remember you have got everything to loose!
\r
147 Never feel silly doing THAT extraordinary action against tracing!
\r
148 Never bother if someone laughs on your paranoid doing!
\r
149 Never be too lazy or tired to modify the logs!
\r
150 A hacker must do his work 100% !
\r
153 * 3. HOW TO BECOME PARANOID *
\r
154 If you've read the part above and you think thats true, it's easy -
\r
155 you've got already become paranoid. But it must become a substantial
\r
156 part of your life. If you made it becoming a good hacker always think
\r
157 about whom to tell what, and that you phone calls and emails might be
\r
158 monitored. Always the reread the section above.
\r
160 If the above didn't helped you, then think about what happens if
\r
161 you are caught. Would your girlfriend stay at your side? Even if
\r
162 her father speaks a hard word? Do you want to see your parents cry?
\r
163 Thrown from your school/university/job?
\r
165 Don't give this a chance to happen!
\r
167 If even this is not enough to motivate you:
\r
168 KEEP AWAY FROM HACKING!
\r
169 You are a danger to the whole hacking society and your friends !
\r
172 * 4. STAY PARANOID *
\r
173 I hope you learned now why it is important to become paranoid.
\r
174 So stay paranoid. One mistake or lazy moment could suffice to ruin
\r
175 your life or career.
\r
177 Always remember the motivation to do it.
\r
185 ----------------------------------------------------------------------
\r
187 CONTENTS : 1. Preface
\r
189 3. Your own account
\r
191 5. Don't leave a trace
\r
192 6. Things you should avoid
\r
196 You should know this and practice it before you start your first hack.
\r
197 These are the absolute basics, without them you are in trouble soon.
\r
198 Even an experienced hacker can find a new hint/info in here.
\r
201 * 2. SECURE YOURSELF *
\r
202 What if a SysAdmin reads your email?
\r
203 What if your phone calls are recorded by the police?
\r
204 What if the police seizes your computer with all your hacking data on it?
\r
206 If you don't receive suspicious email, don't talk about hacking/phreaking
\r
207 on the phone and haven't got sensitive/private files on your harddisk
\r
208 then you don't need to worry. But then again you aren't a hacker.
\r
209 Every hacker or phreaker must keep in touch with others and have got
\r
210 his data saved somewhere.
\r
212 Crypt every data which is sensitive!
\r
213 Online-Harddisk-Crypter are very important and useful:
\r
214 There are good harddisk crypters free available an the internet, which
\r
215 behave fully transparent to your operating systems, i.e. the packages
\r
216 listed below are tested and were found to be a hacker's first-choice:
\r
217 - If you use MsDos get SFS v1.17 or SecureDrive 1.4b
\r
218 - If you use Amiga get EnigmaII v1.5
\r
219 - If you use Unix get CFS v1.33
\r
220 File Crypters: You can use any, but it should use one of the well known
\r
221 and secure algorythms. NEVER use a crypting program which can be
\r
222 exported because their effective keylengths are reduced!
\r
225 - Blowfish (32 rounds)
\r
226 Encrypt your emails!
\r
227 - PGP v2.6.x is used most so use it too.
\r
228 Encrypt your phonecalls if you want to discuss important things.
\r
229 - Nautilus v1.5a is so far the best
\r
230 Encrypt your terminal sessions when connected to a unix system.
\r
231 Someone might be sniffing, or monitoring your phone line.
\r
232 - SSH is the so far most secure
\r
233 - DES-Login is fine too
\r
235 Use strong passwords, non-guessable passwords which are not mentioned
\r
236 in any dictionary. They should seem random but good to remember for
\r
237 yourself. If the keylength is allowed to be longer than 10 chars,
\r
238 use that, and choose a sentence from a book, slightly modified.
\r
239 Please crypt phonenumbers of hacker friends twice. And call them from
\r
240 payphones/officephones/etc. only, if you don't encrypt the conversation.
\r
242 The beginner only needs PGP, a filecrypter and an online-hardisk-crypter.
\r
243 If you are really deep into hacking remember to encrypt everything.
\r
245 Make a backup of your data (Zip-Drive, other harddisk, CD, Tape),
\r
246 crypted of course, and store it somewhere which doesn't belong to any
\r
247 computer related guy or family member and doesn't belong to your house.
\r
248 So if a defect, fire or fed raid occures you got a backup of your data.
\r
250 Keep written notices only as long as you really need them. Not longer.
\r
251 Keeping them in an encrypted file or on an encrypted partition is much
\r
252 more secure. Burn the papers once you don't need them anymore.
\r
253 You can also write them down with a crypt algorythm which only you
\r
254 know of, but don't tell others and don't use it too often or it can be
\r
255 easily analyzed and broken.
\r
257 Really hardcore or ultra paranoid hackers should consider too the
\r
258 TEMPEST Project. Cops, spies and hackers could monitor all your
\r
259 doings. A well equipted man could have *anything* he wants :
\r
260 Electronic pulse emanation can be catched from more than 100 meters
\r
261 away and show your monitor screen to somebody else, a laserpoint to
\r
262 your window to hear private conversations, or identifying hifrequency
\r
263 signals of keyboard clicks ... so possiblities are endless
\r
264 Lowcost prevention can be done by electronic pulse jammers and
\r
265 therelike which become available on the public market, but I don't
\r
266 think this is secure enough to keep anyone dedicated away.
\r
270 * 3. YOUR OWN ACCOUNT *
\r
271 So let's talk about your own account. This is your real account you
\r
272 got at your school/university/job/provider and is associated with
\r
273 your name. Never forget to fail these rules:
\r
275 Never do any illegal or suspicious things with your real accounts!
\r
276 Never even try to telnet to a hacked host!
\r
277 Security mailing lists are okay to read with this account.
\r
278 But *everything* which *seems* to have to do with hacking must be
\r
279 either encrypted or be deleted as once.
\r
280 Never leave/save hacking/security tools on your account's harddisk.
\r
281 If you can, use POP3 to connect to the mailserver and get+delete your
\r
282 email (or do it in an other way if you are experienced enough using unix)
\r
283 Never give out your real email if your realname is in your .plan file
\r
284 and/or geco field (remember the EXPN command from sendmail ...)
\r
285 Give it only to guys who you can trust and are also security conscious,
\r
286 because if they are caught you may follow (or if it's a fed, not a hacker)
\r
287 Exchange emails with other hackers only if they are encrypted (PGP)
\r
288 SysAdmins OFTEN snoop user directories and read other's email!
\r
289 Or another hacker might hack your site and try to get your stuff!
\r
291 Never use your account in a way which shows interest in hacking.
\r
292 Interest in security is okay but nothing more.
\r
296 There are 3 important log files:
\r
297 WTMP - every log on/off, with login/logout time plus tty and host
\r
298 UTMP - who is online at the moment
\r
299 LASTLOG - where did the logins come from
\r
300 there exist others, but those will be discussed in the advanced section.
\r
301 Every login via telnet, ftp, rlogin and on some systems rsh are written
\r
302 to these logs. It is VERY important that you delete yourself from those
\r
303 logfiles if you are hacking because otherwise they
\r
304 a) can see when did you do the hacking exactly
\r
305 b) from which site you came
\r
306 c) how long you were online and can calculate the impact
\r
308 NEVER DELETE THE LOGS! It's the easiest way to show the admin that
\r
309 a hacker was on the machine. Get a good program to modify the logs.
\r
310 ZAP (or ZAP2) is often mentioned as the best - but in fact it isn't.
\r
311 All it does is overwriting the last login-data of the user with zeros.
\r
312 CERT already released simple programs which check for those zero'ed
\r
313 entries. So thats an easy way to reveil the hacker to the admin too.
\r
314 He'll know someone hacked root access and then all you work was worthless.
\r
315 Another important thing about zap is that it don't report if it can't
\r
316 find the log files - so check the paths first before compiling!
\r
317 Get either a program which CHANGES the data (like CLOAK2) or a really
\r
318 good one which DELETES the entries (like CLEAR).
\r
321 Normally you must be root to modify the logs (except for old distributions
\r
322 which have got utmp and wtmp world-writable). But what if you didn't
\r
323 made it hacking root - what can you do? Not very much :
\r
324 Do a rlogin to the computer you are on, to add a new unsuspicous LASTLOG
\r
325 data which will be displayed to the owner when he logs on next time.
\r
326 So he won't get suspicious if he sees "localhost".
\r
327 Many unix distributions got a bug with the login command. When you
\r
328 execute it again after you logged already on, it overwrites the
\r
329 login-from field in the UTMP (which shows the host you are coming
\r
330 from!) with your current tty.
\r
332 Where are these log files by default located?
\r
333 That depends on the unix distribution.
\r
334 UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
\r
335 WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
\r
336 LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
\r
337 on some old unix dists the lastlog data is written into $HOME/.lastlog
\r
340 * 5. DON'T LEAVE A TRACE *
\r
341 I encountered many hackers who deleted themselves from the logs.
\r
342 But they forgot to erase other things they left on the machines :
\r
343 Files in /tmp and $HOME
\r
346 It should be another as you current login account uses.
\r
347 Some shells leave a history file (depends on enviroment configuration)
\r
348 with all the commands typed. Thats very bad for a hacker.
\r
349 The best choice is to start a new shell as your first command after
\r
350 logging in, and checking every time for a history file in you $HOME.
\r
355 bash: .bash_history
\r
358 dead.letter, *.bak, *~
\r
360 In other words: do an "ls -altr" before you leave!
\r
362 Here're 4 csh commands which will delete the .history when you log
\r
363 out, without any trace.
\r
365 echo rm .history>.logout
\r
366 echo rm .logout>>.logout
\r
367 echo mv save.1 .logout>>.logout
\r
371 * 6. THINGS YOU SHOULD AVOID *
\r
372 Don't crack passwords on an other machine than your own, and then
\r
373 only on a crypted partition. If you crack them on a e.g. university
\r
374 and the root sees your process and examines it not only your hacking
\r
375 account is history but also the site from which the password file is
\r
376 and the university will keep all eyes open to watch out for you.
\r
377 Download/grab the passwd data and crack them on a second computer or
\r
378 in a background process. You don't need many cracked accounts, only a few.
\r
380 If you run important programs like ypx, iss, satan or exploiting
\r
381 programs then rename them before executing or use the small common
\r
382 source to exchange the executed filename in the process list ... ever
\r
383 security conscious user (and of course admin) knows what's going on
\r
384 if he sees 5 ypx programs running in the background ...
\r
385 And of course if possible don't enter parameters on the command line
\r
386 if the program supports an interactive mode, like telnet.
\r
387 Type "telnet" and then "open target.host.com" ... which won't show
\r
388 the target host in the process list as parameter.
\r
390 If you hacked a system - don't put a suid shell somewhere!
\r
391 Better try to install some backdoors like ping, quota or login and
\r
392 use fix to correct the atime and mtime of the file if you don't
\r
393 have got another possiblity.
\r
401 ----------------------------------------------------------------------
\r
403 CONTENTS : 1. Preface
\r
404 2. Prevent Tracing of any kind
\r
405 3. Find and manipulate any log files
\r
406 4. Check the syslog configuration and logfile
\r
407 5. Check for installed security programs
\r
408 6. Check the admins
\r
409 7. How to "correct" checksum checking software
\r
410 8. User Security Tricks
\r
415 Once you installed your first sniffer and begin to hack worldwide
\r
416 then you should know and use these checks & techniques!
\r
417 Use the tips presented here - otherwise your activity will be over soon.
\r
420 * 2. PREVENT TRACING OF ANY KIND *
\r
421 Sometimes your hacking will be noticed. Thats not a real problem -
\r
422 some of your sites will be down but who cares, there are enough
\r
423 out there to overtake. The *very* dangerous thing is when they try
\r
424 to trace you back to your origin - to deal with you - bust you!
\r
426 This short chapter will tell you every possiblity THEY have to trace
\r
427 you and what possibilities YOU have to prevent that.
\r
429 * Normally it should be *no* problem for the Admin to identify the
\r
430 system the hacker is coming from by either : checking the log entries
\r
431 if the hacker was really lame, taking a look at the sniffer output
\r
432 the hacker installed and he's in too, any other audit software like
\r
433 loginlog, or even show all estrablished connections with "netstat"
\r
434 if the hacker is currently online - expect that they'll find out!
\r
435 Thats why you *need* a gateway server.
\r
437 * A gateway server in between - what is it?
\r
438 Thats one of many many servers you have accounts on, which are
\r
439 absolutely boring systems and you have got root access on.
\r
440 You need the root access to alter the wtmp and lastlog files
\r
441 plus maybe some audit logs do nothing else on these machines!
\r
442 You should change the gateway servers on a regular basis, say
\r
443 every 1-2 weeks, and don't use them again for at least a month.
\r
444 With this behaviour it's unlikely that they will trace you back
\r
445 to your next point of origin : the hacking server
\r
447 * Your Hacking Server - basis of all activity
\r
448 From these server you do begin hacking. Telnet (or better : remsh/rsh)
\r
449 to a gateway machine and then to the target.
\r
450 You need again root access to change the logs.
\r
451 You should change your hacking server every 2-4 weeks.
\r
453 * Your Bastian/Dialup server.
\r
454 This is the critical point. Once they can trace you back to your
\r
455 dialup machine you are already fried. A call to the police, a line
\r
456 trace and your computer hacking activity is history - and maybe
\r
457 the rest of your future too.
\r
458 You *don't* need root access on a bastion host. Since you only
\r
459 connect to it via modem there are no logs which must be changed.
\r
460 You should use a different account to log on the system every day,
\r
461 and try to use those which are seldom used.
\r
462 Don't modify the system in any way!
\r
463 You should've got at least 2 bastion host systems you can dialup
\r
464 to and switch between them every 1-2 month.
\r
466 Note: If you have got the possiblity to dialup different systems
\r
467 every day (f.e. due blueboxing) then do so. you don't need
\r
468 a hacking server then.
\r
470 * Do bluebox/card your call or use an outdial or any other way.
\r
471 So even when they capture back your bastion host, they can't
\r
472 trace you (easily) ...
\r
473 For blueboxing you must be cautious, because germany and the phone
\r
474 companies in the USA do have surveillance systems to detect
\r
475 blueboxers ... At&t traces fake cred card users etc.
\r
476 Using a system in between to transfer your call does on the one side
\r
477 make tracine more difficult - but also exposes you to the rish being
\r
478 caught for using a pbx etc. It's up to you.
\r
479 Note too that in f.e. Denmark all - ALL - calling data is saved!
\r
480 Even 10 years after your call they can prove that *you* logged on
\r
481 the dialup system which was used by a hacker ...
\r
484 If you want to run satan, iss, ypx, nfs filehandle guessing etc.
\r
485 then use a special server for this. don't use it to actually
\r
486 telnet/rlogin etc. to a target system, only use it for scanning.
\r
487 Connect to it as if it were a gateway server.
\r
489 Tools are out there which binds to a specific port, and when a
\r
490 connection is established to this port, it's automatically opening
\r
491 a connection to another server some other just act like a shell on the
\r
492 system, so you do a "telnet" from this socket daemon too.
\r
493 With such a program running you won't be written in any log except
\r
494 firewall logs. There are numerous programs out there which do that
\r
497 If possible, the hacking server and/or the gateway machine should
\r
498 be located in a foreign country!
\r
499 Because if your breakin (attempt) was detected and your origin host
\r
500 identified then most admins will tend to give up to hunt after you.
\r
501 Even if the feds try to trace you through different countries it
\r
502 will delay them by at least 2-10 weeks ...
\r
504 # Conclusion : If you hack other stuff than univerisities then
\r
505 do it this way! Here is a small picture to help you ;-)
\r
507 +-------+ ~---------------> +-------------+ +-----------+
\r
508 |+-----+| >hopefully > |one of at | |one of many|
\r
509 || YOU || --> >a trace-safe > --> |least 3 | --> |hacking |
\r
510 |+-----+| >dial possiblity> |bastion hosts| |server |
\r
511 +-------+ ~---------------> +-------------+ +-----------+
\r
515 +-----------------+ +--------+ +-----------+
\r
516 |maybe additional | | the | |one hacked |
\r
517 |server from | ... <-- ... | main | <-- |server as |
\r
518 |internal network | | target | |gateway |
\r
519 +-----------------+ +--------+ +-----------+
\r
523 * 3. FIND AND MANIPULATE ANY LOG FILES *
\r
524 It's important that you find all logfiles - even the hidden ones.
\r
525 To find any kind of logfiles there are two easy possibilities :
\r
526 1) Find all open files.
\r
527 Since all logfiles must write somewhere, get the cute program
\r
528 LSOF - LiSt Open Files - to see them ... check them ... and
\r
529 if necessary correct them.
\r
530 2) Search for all files changed after your login.
\r
531 After your login do a "touch /tmp/check" then work on.
\r
532 Later just do a "find / -newer /tmp/check -print" and check them
\r
533 if any of those are audit files. see>check>correct.
\r
534 Note that not all versions of find support the -newer option
\r
535 You can also do a "find / -ctime 0 -print" or "find / -cmin 0 -print"
\r
538 Check all logfiles you find. Normally they are in /usr/adm, /var/adm or
\r
540 If things are logged to @loghost then you are in trouble. You need
\r
541 to hack the loghost machine to modify the logs there too ...
\r
543 To manipulate the logs you can either do things like "grep -v",
\r
544 or do a linecount with wc, and then cut off the last 10 lines with
\r
545 "head -LineNumbersMinus10", or use an editor etc.
\r
546 If the log/audit files are not textfiles but datarecords ... identify
\r
547 the software which writes the logfiles. Then get the sourcecode. Then
\r
548 find the matching header file which defines the structure of the file.
\r
549 Get zap, clear, cloak etc. and rewrite it with the header file to use
\r
550 with this special kind of logfile (and it would be kind to publish your
\r
551 new program to the hacker society to safe others much work)
\r
553 If accouting is installed then you can use the acct-cleaner from zhart,
\r
554 also in this release - it works and is great!
\r
556 A small gimmick if you must modify wtmp but can't compile a source and
\r
557 no perl etc. is installed (worked on SCO but not on linux) :
\r
558 Do a uuencode of wtmp. Run vi, scroll down to the end of the file, and
\r
559 and delete the last 4 (!) lines beginning with "M" ... then save+exit,
\r
560 uudecode. Then the last 5 wtmp entries are deleted ;-)
\r
562 If the system uses wtmpx and utmpx as well you are in trouble ...
\r
563 I don't know any cleaner so far who can handle them.
\r
564 Program one and make it available for the scene.
\r
568 * 4. CHECK THE SYSLOG CONFIGURATION AND LOG *
\r
569 Most programs use the syslog function to log anything they want.
\r
570 It's important to check the configuration where syslog does print
\r
572 The config file is /etc/syslog.conf - and I won't tell you here what
\r
573 the format is and what each entry means. Read the manpages about it.
\r
574 Important for you are kern.*, auth.* and authpriv.* types.
\r
575 Look where they are written too: files can be modified. If forwarded
\r
576 to other hosts you must hack those too. If messages are sent to a user,
\r
577 tty and/or console you can do a small trick and generate false log
\r
578 messages like "echo 17:04 12-05-85 kernel sendmail[243]: can't resolve
\r
579 bla.bla.com > /dev/console" or whichever device you want to flood so
\r
580 that the message you want to hide simply scrolls over the screen.
\r
581 These log files are *very* important! Check them.
\r
584 * 5. CHECK FOR INSTALLED SECURITY PROGRAMS
\r
585 On most security conscious sites, there are security checkers run by
\r
586 cron. The normal directory for the crontabs are /var/spool/cron/crontabs.
\r
587 Check out all entries, especially the "root" file and examine the files
\r
588 they run. For just a fast investigation of the crontabs of root type
\r
591 Some of those security tools are most time also installed on the admins'
\r
592 accounts. Some of them (small utils to check wtmp, and if a sniffer is
\r
593 installed) are in their ~/bin.
\r
594 Read below to identify those admins and check their directories.
\r
596 Internal checking software can be tiger, cops, spi, tripwire, l5,
\r
597 binaudit, hobgoblin, s3 etc.
\r
599 You must examine them what they report and *if* they would report
\r
600 something that would be a sign of your breakin.
\r
601 If yes you can - update the data files of the checker (learn mode)
\r
602 so that it won't report that type anymore
\r
603 - reprogram/modify the software so that they don't report
\r
604 it anymore. (I *love* fake cpm programs ;-)
\r
605 - if possible remove the e.g. backdoor you installed
\r
606 and try to do it in another way.
\r
610 * 6. CHECK THE ADMINS *
\r
611 It is important for you to check the sysops for the security counter-
\r
612 measures they do - so first you need to know which normal accounts are
\r
614 You can check the .forward file of root and the alias entry of root.
\r
615 Take a look into the sulog and note those people who did a successful
\r
616 su to root. Grab the group file and examine the wheel and admin group
\r
617 (and whatever other group are in this file which are related to
\r
618 administration). Also grep'ing the passwd file for "admin" will reveile
\r
619 the administrators.
\r
620 Now you should know who the 1-6 administrators on the machines are.
\r
621 Change into their directories (use chid.c, changeid.c or similar to
\r
622 become the user if root is not allowed to read every file) and check
\r
623 their .history/.sh_history/.bash_history to see what commands they type
\r
624 usually. Check their .profile/.login/.bash_profile files to see what
\r
625 aliases are set and if auto-security checks or logging are done.
\r
626 Examine their ~/bin directory! Most times compiled security checking
\r
627 programs are put there! And of course take a look into each directory
\r
628 they've got beside that (ls -alR ~/).
\r
629 If you find any security related stuff, read 5.) for possibilities to
\r
630 bypass those protections.
\r
634 * 7. HOW TO "CORRECT" CHECKSUM CHECKING SOFTWARE *
\r
635 Some admins really fear hacker and install software to detect changes
\r
636 of their valuable binaries. If one binary is tampered with, next time
\r
637 the admin does a binary check, it's detected.
\r
638 So how can you a) find out if such binary checkers are installed
\r
639 and b) how to modify them so you can plant in your trojan horse?
\r
641 Note that there are many binary checker out there and it's really easy
\r
642 to write one - takes only 15 minutes - and can be done with a small
\r
643 script. So it's hard to find such software if it's installed.
\r
644 Note that internal security checking software sometimes also support such
\r
645 checking. Here are some widely used ones :
\r
647 SOFTWARE : STANDARD PATH : BINARY FILENAMES
\r
648 tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire
\r
649 binaudit : /usr/local/adm/audit : auditscan
\r
650 hobgoblin : ~user/bin : hobgoblin
\r
651 raudit : ~user/bin : raudit.pl
\r
652 l5 : compile directory : l5
\r
654 But as you can see there are too much possibilities! The software or
\r
655 database could even be on an normally unmounted disk or NFS exported
\r
656 partition of another host. Or the checksum database is on a write
\r
657 protected medium. There are too much possibilities. But normally you can
\r
658 just do the fast check if the above packages are installed and if not
\r
659 go on exchanging binaries. If you *don't* find them but it actually *is*
\r
660 a very well secured site then you should NOT tamper with the binaries!
\r
661 They sure have got them hidden very well.
\r
663 But what do you do when you find that software installed and you can
\r
664 modify them (e.g. not a write protected medium, or something that can
\r
665 be bypasswd - for example unmounting the disk and remounting writable)?
\r
666 You've got 2 possibilities :
\r
667 First you can just check the parameters of the software and run an
\r
668 "update" on the modified binary. For example for tripwire that's
\r
669 "tripwire -update /bin/target".
\r
670 Seconds you can modify the filelist of the binaries being checked -
\r
671 removing the entry of the replaced one.
\r
672 Note that you should also check if the database file itself is checked
\r
673 too for changes! If yes - update/delete the entry as well.
\r
677 * 8. USER SECURITY TRICKS *
\r
678 This is a rare thing and is only for sake of completeness.
\r
679 Some users, named admins and hackers, usually don't want their own
\r
680 accounts to be used by someone else. That's why they sometimes put
\r
681 some security features into their startup files.
\r
682 So check all dotfiles (.profile, .cshrc, .login, .logout etc.)
\r
683 what commands they execute, what history logging and which searchpath
\r
684 they set. If f.e. $HOME/bin comes before /bin in the search path you
\r
685 should check the contents of this directory ... maybe there's a program
\r
686 called "ls" or "w" installed which logs the execution time and after
\r
687 that executing the real program.
\r
688 Other check automatically the wtmp and lastlog files for zap usage,
\r
689 manipulation of .rhosts, .Xauthority files, active sniffers etc.
\r
690 Never mess with an account a unix wizard is using!
\r
694 * 9. MISCELLANEOUS *
\r
695 Finally, before some last words about being under suspect or caught,
\r
696 here are some miscellaneous things which a worth to take a notice off.
\r
698 Old telnet clients do export the USER variable. An administrator who
\r
699 knows that and modified the telnetd can get all user names with that
\r
700 and so identify the account you are hacking from, once he notices you.
\r
701 The new clients have been fixed - but a clever admin has got other
\r
702 possiblities to identify the user : the UID, MAIL and HOME variables
\r
703 are still exported and makes identifying of the account used by the
\r
704 hacker easy. Before you do a telnet, change the USER, UID, MAIL and
\r
705 HOME variable, maybe even the PWD variable if you are in the home
\r
708 On HP-UX < v10 you can make hidden directories. I'm not talking about
\r
709 . (dot) files or similar but a special flag. HP introduced it v9, but
\r
710 was removed from version 10 (because it was only used by hackers ;-).
\r
711 If you do a "chmod +H directory" it's invisible for the "ls -al".
\r
712 To see the hidden directories you need to add the -H switch to ls, e.g.
\r
713 "ls -alH" to see everything.
\r
715 Whenever you are in need to change the date of a file, remember that
\r
716 you can use the "touch" command to set the atime and mtime.
\r
717 You can set the ctime only by raw writes to the harddisk ...
\r
719 If you install sniffer and it's an important system, then make sure
\r
720 that you either obfusicate the sniffer output (with an encryption
\r
721 algorythm [and i'm not talking about rot13] or let the sniffer send
\r
722 all the captured data via icmp or udp to an external host under your
\r
723 control. Why that? If the admin finds somehow the sniffer (cpm and
\r
724 other software checking for sniffers) they can't identify in the
\r
725 logfile what data was sniffed, so he can't warn hosts sniffed by you.
\r
731 ----------------------------------------------------------------------
\r
733 Once you are under suspect (by either police and/or administrator) you
\r
734 should take special actions so they won't get evidence on you.
\r
736 NOTE : If the administrators think you are a hacker,
\r
737 YOU ARE GUILTY UNTIL PROVEN INNOCENT
\r
739 The laws means nothing to the admins (sometimes I think the difference
\r
740 between a hacker and an administrator is only that the computer belongs
\r
741 to them). When they think you are a hacker you are guilty, without a
\r
742 lawyer to speak for you. They'll monitor you, your mails, files, and,
\r
743 if they are good enough, your keystrokes as well.
\r
745 When the feds are involved, you phone line might be monitored too,
\r
746 and a raid might come soon.
\r
748 If you notice or fear that you are under suspect then keep absolutely
\r
749 low profile! No offensive action which points to hacking should be done.
\r
751 Best thing is to wait at least 1-2 month and do nothing.
\r
752 Warn your friends not to send you any email, public normal only,
\r
753 non-offensive mail is wonderful, put pgp encrypted emails will ring the
\r
754 alarm bells of monitoring admins and feds. Cut down with everything,
\r
755 write some texts or program tools for the scene and wait until things
\r
756 have settled. Remember to encrypt all your sensitive data and remove
\r
757 all papers with account data, phone numbers etc. Thats the most
\r
758 important stuff the feds are looking for when they raid you.
\r
763 ----------------------------------------------------------------------
\r
765 Note that this small chapter covers only the ethics and basics and
\r
766 hasn't got any references to current laws - because they are different
\r
769 Now we talking about the stuff you should/shouldn't do once the feds
\r
770 visited you. There are two *very* important things you have to do :
\r
771 1) GET A LAWYER IMMEDEANTELY !
\r
772 The lawyer should phone the judge and appeal against the search
\r
773 warrant. This doesn't help much but may hinder them in their work.
\r
774 The lawyer should tell you everything you need to know what the
\r
775 feds are allowed to do and what not.
\r
776 The lawyer should write a letter to the district attorney and/or
\r
777 police to request the computers back as fast as possible because
\r
778 they are urgently needed to do business etc.
\r
779 As you can see it is very useful to have got a lawyer already
\r
780 by hand instead of searching for one after the raid.
\r
781 2) NEVER TALK TO THE COPS !
\r
782 The feds can't promise you anything. If they tell you, you'll get
\r
783 away if you talk, don't trust them! Only the district attorney
\r
784 has got the power to do this. The cops just want to get all
\r
785 information possible. So if you tell them anything they'll have
\r
786 got more information from and against you.
\r
787 You should *always* refuse to give evidence - tell them that you
\r
788 will only talk with them via your lawyer.
\r
790 Then you should make a plan with your lawyer how to get you out of this
\r
791 shit and reduce the damage.
\r
792 But please keep in mind : don't betray your friends. Don't tell them
\r
793 any secrets. Don't blow up the scene.
\r
794 If you do, that's a boomerang : the guys & scene will be very angry
\r
795 and do revenge, and those guys who'll be caught because of your
\r
796 evidence will also talk ... and give the cops more information about
\r
799 Note also that once you are caught you get blamed for everything which
\r
800 happened on that site. If you (or your lawyer) can show them that they
\r
801 don't have got evidences against you for all those cases they might
\r
802 have trouble to keep the picture of that "evil hacker" they'll try to
\r
803 paint about you at the court. If you can even prove that you couldn't
\r
804 do some of the crimes they accuse you for then your chances are even
\r
805 better. When the judge sees that false accuses are made he'll suspect
\r
806 that there could be more false ones and will become distrusted against
\r
807 the bad prepared charges against you.
\r
809 I get often asked if the feds/judge can force you to give up your
\r
810 passwords for PGP, encrypted files and/or harddisks.
\r
811 That's different for every country. Check out if they could force you
\r
812 to open your locked safe.
\r
813 If that's the case you should hide the fact that you are crypting your
\r
814 data! Talk with your lawyer if it's better for you to stand against
\r
815 the direction to give out the password - maybe they'd get evidences
\r
816 which could you get into jail for many years.
\r
818 (For german guys : THC-MAG #4 will have got an article about the german
\r
819 law, as far as it concerns hacking and phreaking - that article will
\r
820 be of course checked by a lawyer to be correct. Note that #4 will only
\r
821 discuss germany and hence will be in the german language.
\r
822 But non-germans, keep ya head up, this will be the first and last german
\r
823 only magazine release ;-)
\r
829 ----------------------------------------------------------------------
\r
831 Here is a small list of programs you should get and use (the best!).
\r
832 DON'T email me where to get them from - ask around in the scene!
\r
833 I only present here the best log modifiers (see III-4 and IV-3).
\r
834 Other programs which are for interest are telnet redirectors (see IV-2)
\r
835 but there are so many, and most compile only on 1-3 unix types so there's
\r
836 no use to make a list.
\r
838 First a small glossary of terms :
\r
839 Change - Changes fields of the logfile to anything you want
\r
840 Delete - Deletes, cuts out the entries you want
\r
841 Edit - real Editor for the logfile
\r
842 Overwrite - just Overwrites the entries with zero-value bytes.
\r
843 Don't use such software (f.e. zap) - it can be detected!
\r
846 ah-1_0b.tar Changes the entries of accounting information
\r
847 clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx
\r
848 cloak2.c Changes the entries in utmp, wtmp and lastlog
\r
849 invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so
\r
850 it's better than zap. Watch out, there are numerous inv*.c !
\r
851 marryv11.c Edit utmp, wtmp, lastlog and accounting data - best!
\r
852 wzap.c Deletes entries in wtmp
\r
853 wtmped.c Deletes entries in wtmp
\r
854 zap.c Overwrites utmp, wtmp, lastlog - Don't use! Can be detected!
\r
860 ----------------------------------------------------------------------
\r
862 Last fucking words:
\r
863 Don't get caught, remember these tips and keep your ears dry.
\r
864 If someone would like to correct some points, or would like to
\r
865 add a comment, or needs more information on a topic or even thinks
\r
866 something's missing - then drop me a note.
\r
873 Type Bits/KeyID Date User ID
\r
874 pub 1024/3B188C7D 1995/10/10 van Hauser/THC of LORE BBS
\r
876 -----BEGIN PGP PUBLIC KEY BLOCK-----
\r
879 mQCNAzB6PNQAAAEEALx5p2jI/2rNF9tYandxctI6jP+ZJUcGPTs7QTFtF2c+zK9H
\r
880 ElFfvsC0QkaaUJjyTq7TyII18Na1IuGj2duIHTtG1DTDOnbnZzIRsXndfjCIz5p+
\r
881 Dt6UYhotbJhCQKkxuIT5F8EZpLTAL88WqaMZJ155uvSTb9uk58pv3AI7GIx9AAUT
\r
882 tBp2YW4gSGF1c2VyL1RIQyBvZiBMT1JFIEJCU4kAlQMFEDJ2gzNAf3b9d/IP1QEB
\r
883 5DwD+gJRh6m4h0fVgpQJkOiuQD68lV5w8C0F5R3jk/o6Pollaf7gtVhG8BGGo5/7
\r
884 /yiH40gujc82rJdmihwcKuZQtwt8X28VN8uy56SCpXD5wjjOZpq0t0qSXmhgunZ0
\r
885 m7xv7R4mWRzFclsgQCMwXNgp4sXgw64bVm8FhEdkrVSO8iTyiQCVAwUQMkMhCspv
\r
886 3AI7GIx9AQFstAP+Jrg7V06FGV/sTzegFNoaSyOItkvXjctzFsXuBfta2M7EzPX3
\r
887 UR3kM4/W4xE70H4XmMOJ9RmTzs+MuhSq8BtGQtYaJqGjxe/ldbvGOXRxR1rBJAKS
\r
888 yDQYu0VJ/Ae8yuJcMS312jqwg8OLgYnQaqEoaRM4HEiB+hgDRqnFKpDxkhSJAJUD
\r
889 BRAyQx8E5y7IvlL6xvEBAQ+bA/9baK7f3M9F5n4aASy04WHOreUNpGQ8DXgtMVq7
\r
890 KVdXMIWjURsboR+wt5eJTPeL00lHS5eqmZlNzGV9hWtzAr20qrKLmvE20Ke4VPB0
\r
891 a/tWXNUdvLnk4ENbTBFfMMdnlDo3hSThSMQ7yZ9UEYgighKu6l2fG5UG6D+kXFLy
\r
894 -----END PGP PUBLIC KEY BLOCK-----
\r
896 ------------------------------------------------------------------------------
\r